Author Topic: Windows/win32/serrvices.exe Sirefef-AHF [trj]  (Read 15294 times)

0 Members and 1 Guest are viewing this topic.

zlimrida

  • Guest
Windows/win32/serrvices.exe Sirefef-AHF [trj]
« on: September 01, 2012, 03:58:54 PM »
Hello..

My services.exe is infected with Sirefef-AHF [trj] which AVG picks up but not possible to remove.
Had at least for 3 weeks now, and this thing shut down my computer couple of times which one time
i had to run system recovery too be able to boot up the laptop.
Since i am a complete amateur, i got no idea what to do. Please help.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Windows/win32/serrvices.exe Sirefef-AHF [trj]
« Reply #1 on: September 01, 2012, 04:03:06 PM »
Hello and welcome to avast.  ;)
http://forum.avast.com/index.php?topic=53253.0

Please read this guide. I need log reports from Malwarebytes, OTL and aswMBR.

zlimrida

  • Guest
Re: Windows/win32/serrvices.exe Sirefef-AHF [trj]
« Reply #2 on: September 01, 2012, 05:19:43 PM »
Malwarebytes: Came out in norwegian, google translate workes on it

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Databaseversjon: v2012.09.01.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Zlim :: ZLIM-HP [administrator]

01.09.2012 16:16:56
mbam-log-2012-09-01 (16-16-56).txt

Skanntype: Hurtigsøk
Aktiverte skanningsinnstillinger: Minne | Oppstart | Register | Filsystem | Heuristikk/Ekstra | Heuristikk/Shuriken | PUP | PUM
Deaktiverte skanninnstillinger: P2P
Objekter skannet: 196969
Tid tilbakelagt: 3 minutt(er), 41 sekund(er)

Minneprosesser oppdaget: 0
(Ingen skadelige objekter funnet)

Minnemoduler oppdaget: 0
(Ingen skadelige objekter funnet)

Registernøkler oppdaget: 0
(Ingen skadelige objekter funnet)

Registerverdier oppdaget: 0
(Ingen skadelige objekter funnet)

Registerfiler oppdaget: 0
(Ingen skadelige objekter funnet)

Mapper oppdaget: 0
(Ingen skadelige objekter funnet)

Filer oppdaget 6
C:\$Recycle.Bin\S-1-5-21-1008104762-4221902305-1862361787-1000\$RWTUJJ3\epicbot_520(1).exe (PUP.BundleOffers.IIQ) -> Satt i karantene og slettet vellykket.
C:\Users\Zlim\Downloads\epicbot_520.exe (PUP.BundleOffers.IIQ) -> Satt i karantene og slettet vellykket.
C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\n (Rootkit.0Access) -> Satt i karantene og slettet vellykket.
C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\L\00000008.@ (Trojan.BitMiner) -> Satt i karantene og slettet vellykket.
C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Satt i karantene og slettet vellykket.
C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\U\000000cb.@ (Rootkit.0Access) -> Satt i karantene og slettet vellykket.

(klar)


OTL. in attachment



MBR:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-01 17:01:22
-----------------------------
17:01:22.493    OS Version: Windows x64 6.1.7601 Service Pack 1
17:01:22.493    Number of processors: 4 586 0x2A07
17:01:22.493    ComputerName: ZLIM-HP  UserName: Zlim
17:01:24.642    Initialize success
17:01:24.736    AVAST engine defs: 12090100
17:01:55.000    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
17:01:55.000    Disk 0 Vendor: TOSHIBA_ GT00 Size: 715404MB BusType: 3
17:01:55.047    Disk 0 MBR read successfully
17:01:55.047    Disk 0 MBR scan
17:01:55.047    Disk 0 Windows 7 default MBR code
17:01:55.062    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
17:01:55.093    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       692042 MB offset 409600
17:01:55.125    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        19099 MB offset 1417711616
17:01:55.156    Disk 0 Partition 4 00     0C    FAT32 LBA MSDOS5.0     4062 MB offset 1456826368
17:01:55.187    Disk 0 scanning C:\Windows\system32\drivers
17:02:03.627    Service scanning
17:02:36.574    Modules scanning
17:02:36.590    Disk 0 trace - called modules:
17:02:37.136    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
17:02:37.136    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8008ada060]
17:02:37.151    3 CLASSPNP.SYS[fffff88001a0143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8007859050]
17:02:38.040    AVAST engine scan C:\Windows
17:02:40.677    AVAST engine scan C:\Windows\system32
17:03:28.217    File: C:\Windows\system32\services.exe  **INFECTED** Win32:Patched-AKC [Trj]
17:03:47.024    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
17:03:48.604    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
17:04:39.571    AVAST engine scan C:\Windows\system32\drivers
17:04:49.917    AVAST engine scan C:\Users\Zlim
17:11:40.604    AVAST engine scan C:\ProgramData
17:13:15.751    Scan finished successfully
17:14:58.119    Disk 0 MBR has been saved successfully to "C:\Users\Zlim\Desktop\MBR.dat"
17:14:58.123    The log file has been saved successfully to "C:\Users\Zlim\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-01 17:01:22
-----------------------------
17:01:22.493    OS Version: Windows x64 6.1.7601 Service Pack 1
17:01:22.493    Number of processors: 4 586 0x2A07
17:01:22.493    ComputerName: ZLIM-HP  UserName: Zlim
17:01:24.642    Initialize success
17:01:24.736    AVAST engine defs: 12090100
17:01:55.000    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
17:01:55.000    Disk 0 Vendor: TOSHIBA_ GT00 Size: 715404MB BusType: 3
17:01:55.047    Disk 0 MBR read successfully
17:01:55.047    Disk 0 MBR scan
17:01:55.047    Disk 0 Windows 7 default MBR code
17:01:55.062    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
17:01:55.093    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       692042 MB offset 409600
17:01:55.125    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        19099 MB offset 1417711616
17:01:55.156    Disk 0 Partition 4 00     0C    FAT32 LBA MSDOS5.0     4062 MB offset 1456826368
17:01:55.187    Disk 0 scanning C:\Windows\system32\drivers
17:02:03.627    Service scanning
17:02:36.574    Modules scanning
17:02:36.590    Disk 0 trace - called modules:
17:02:37.136    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
17:02:37.136    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8008ada060]
17:02:37.151    3 CLASSPNP.SYS[fffff88001a0143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8007859050]
17:02:38.040    AVAST engine scan C:\Windows
17:02:40.677    AVAST engine scan C:\Windows\system32
17:03:28.217    File: C:\Windows\system32\services.exe  **INFECTED** Win32:Patched-AKC [Trj]
17:03:47.024    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
17:03:48.604    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
17:04:39.571    AVAST engine scan C:\Windows\system32\drivers
17:04:49.917    AVAST engine scan C:\Users\Zlim
17:11:40.604    AVAST engine scan C:\ProgramData
17:13:15.751    Scan finished successfully
17:14:58.119    Disk 0 MBR has been saved successfully to "C:\Users\Zlim\Desktop\MBR.dat"
17:14:58.123    The log file has been saved successfully to "C:\Users\Zlim\Desktop\aswMBR.txt"
17:26:46.081    Disk 0 MBR has been saved successfully to "C:\Users\Zlim\Desktop\MBR.dat"
17:26:46.102    The log file has been saved successfully to "C:\Users\Zlim\Desktop\aswMBR.txt"


« Last Edit: September 01, 2012, 05:27:39 PM by zlimrida »

zlimrida

  • Guest
Re: Windows/win32/serrvices.exe Sirefef-AHF [trj]
« Reply #3 on: September 01, 2012, 05:25:33 PM »
Ok
« Last Edit: September 01, 2012, 05:28:03 PM by zlimrida »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Windows/win32/serrvices.exe Sirefef-AHF [trj]
« Reply #4 on: September 01, 2012, 05:29:50 PM »
Vi trenger aswMBR.txt  ikke dat filen

zlimrida

  • Guest
Re: Windows/win32/serrvices.exe Sirefef-AHF [trj]
« Reply #5 on: September 01, 2012, 05:47:54 PM »
Vi trenger aswMBR.txt  ikke dat filen


ja fiksa det nå :P

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Windows/win32/serrvices.exe Sirefef-AHF [trj]
« Reply #6 on: September 01, 2012, 06:06:07 PM »
Multiple Antivirus Programs

You are running more than 1 Antivirus program!


AV: AVAST Software
AV: AVG Technologies CZ



Running - more than one - antivirus program is not recommended because:[list=1]
  • They can conflict with each other.
  • Report the other antivirus software as malicious.
  • Antivirus programs use an enormous amount of computer's resources... actively scanning your computer.
  • Can cause your computer to become unstable...run slowly and even, in rare cases, BSOD crash...etc
I strongly suggest you uninstall one of them. 
Which one, is your decision.


************************
  Step#1 


> Temporarily disable your AntiVirus&AntiMalware program.
If you are unsure how to do this please read this or this Instruction.



Re-run OTL.exe.

  • Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

    Code: [Select]

    :processes
    killallprocesses

    :OTL
    IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
    IE - HKLM\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
    IE - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
    IE - HKU\S-1-5-21-1008104762-4221902305-1862361787-1000\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
    IE - HKU\S-1-5-21-1008104762-4221902305-1862361787-1000\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
    CHR - Extension: uTorrentBar = C:\Users\Zlim\AppData\Local\Google\Chrome\User Data\Default\Extensions\bejbohlohkkgompgecdcbbglkpjfjgdj\2.3.15.10_0\
    O2 - BHO: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
    O3 - HKLM\..\Toolbar: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
    O3 - HKU\S-1-5-21-1008104762-4221902305-1862361787-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    [2012/09/01 16:37:41 | 000,232,960 | ---- | C] () -- C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\U\00000008.@
    [2012/07/16 13:52:06 | 000,000,804 | ---- | C] () -- C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\L\00000004.@
    [2012/07/16 13:52:05 | 000,002,048 | ---- | C] () -- C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\U\00000004.@
    [2012/01/16 15:37:11 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\@
    [2012/01/16 15:37:11 | 000,002,048 | -HS- | C] () -- C:\Users\Zlim\AppData\Local\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\@

    :files
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    C:\Users\Zlim\AppData\Roaming\mozilla\Firefox\Profiles\jq9aom5h.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
    C:\Users\Zlim\AppData\Roaming\Mozilla\Firefox\Profiles\jq9aom5h.default\searchplugins\askcom.xml
    ipconfig /flushdns /c
    netsh int ip reset c:\resetlog.txt  /c
    ipconfig /release /c
    ipconfig /renew /c
    recycler /alldrives
    sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto /c
    C:\Windows\SysNative\services.exe|C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe /replace

    :commands
    [purity]
    [CREATERESTOREPOINT]
    [emptytemp]




  • Then click the Run Fix button at the top.
  • Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
************************

  Step#2 


.
  • Re-run OTL. Make sure all other windows are closed and to let it run uninterrupted.
       
  • Click on Scan All Users
     
  • Paste this into Custom Scans/Fixes box at the bottom

    Code: [Select]


    drives
    /md5start
    services.exe
    /md5stop
    %systemroot%\assembly\GAC_32\*.* /S /MD5
    %systemroot%\assembly\GAC_64\*.* /S /MD5
    %systemroot%\Tasks\*.job /lockedfiles
    c:\windows\installer\@ /s
    c:\windows\installer\*.@ /s
    dir /s /a "C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}" /c
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    CREATERESTOREPOINT


    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
             
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
                 
      • Please attach them in this thread.
« Last Edit: September 01, 2012, 06:09:22 PM by magna86 »

zlimrida

  • Guest
Re: Windows/win32/serrvices.exe Sirefef-AHF [trj]
« Reply #7 on: September 01, 2012, 07:41:59 PM »
Oh didnt notice the antiviruses, forgot the laptop did a system recovery to its previous state. But fixed now.

here are the reports:

zlimrida

  • Guest
Re: Windows/win32/serrvices.exe Sirefef-AHF [trj]
« Reply #8 on: September 01, 2012, 07:42:43 PM »
Scan

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Windows/win32/serrvices.exe Sirefef-AHF [trj]
« Reply #9 on: September 01, 2012, 07:48:01 PM »
it is recomended to run the vendors removal tool to clear any leftover files that may conflict ......da går alt så mye bedre  ;)
found here  http://singularlabs.com/uninstallers/security-software/

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Windows/win32/serrvices.exe Sirefef-AHF [trj]
« Reply #10 on: September 02, 2012, 02:32:45 AM »
Hi,
We need to use a higher power.


> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

  • Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  • In the window that opens on the top right corner, click Settings.
  • In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

  • Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  • In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.



> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.

ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.

If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.


> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Attach log reports ( ComboFix.txt) back to topic.




zlimrida

  • Guest
Re: Windows/win32/serrvices.exe Sirefef-AHF [trj]
« Reply #11 on: September 02, 2012, 11:50:24 AM »
i Get an error with combifix :


Incompatible  OS , combofix only works for workstations with windows 2000 and exp,

 i have windows 7

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Windows/win32/serrvices.exe Sirefef-AHF [trj]
« Reply #12 on: September 02, 2012, 12:12:35 PM »
i Get an error with combifix :


Incompatible  OS , combofix only works for workstations with windows 2000 and exp,

 i have windows 7

That's fresh copy of Combofix?

-Delete current Combofix.
-Restart your computer.
-Download fresh Combofix and try to run.
-If it fails to run, then again delete old Combofix, download fresh one and try to run in safe mode.

zlimrida

  • Guest
Re: Windows/win32/serrvices.exe Sirefef-AHF [trj]
« Reply #13 on: September 02, 2012, 12:58:34 PM »
Does not work, and i assume its fresh yeah, i used the link you gave, not sure whats wrong

Deleted combofix, restarted ,downloaded, tried to run , same error
Deleted combofix, downloaded, ran in safe mode, same error
Deleted combofix, ran safemode, downloaded in safemode, tried to run same error.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Windows/win32/serrvices.exe Sirefef-AHF [trj]
« Reply #14 on: September 02, 2012, 01:12:44 PM »
... not sure whats wrong

neither do I  ;D
-----------------------------------
 Step#1.1 

We need to use the RKill Tool by Grinler

> Download and run rKill. rKill will try to Kill all malicious processes. Do not reboot your computer. Then you try immediately to re-run Combofix.


Here is full guide and download links:



Rkill.com <--- Download site
    Or:
BleepingComputer

  • Please Download Rkill.com. Save it to your Desktop.
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.

  • NOTE: If you are unable to connect to the site to download rkill, then you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.

  • Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with  Rogue programs.
  • Please be patient while the program looks for various malware programs and ends them.
  • When it has finished, the black window will automatically close and you can continue with the next step.
NOTE: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the rogue program, when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue program. So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the steps.

If you continue having problems running rkill.com, you can download:
 iExplore.exe or eXplorer.exe
which are renamed copies of rkill.com, and try them instead.

 Step#1.2 
>> Do not reboot your computer. Try now to run Combofix.



********************************

 Step#2 

> If all fails...
Let's use different approach to all of this. 8)

  • Download FRST64 to a USB flash drive.
  • Plug the USB drive into the infected machine.
Boot your computer into Recovery Environment

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...


  • Select the Command Prompt option.
  • A command window will open.
    • Type notepad then hit Enter.
    • Notepad will open.
      • Click File > Open then select Computer.
      • Note down the drive letter for your USB Drive.
      • Close Notepad.
  • Back in the command window ....
    • Type e:/frst64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
    • FRST will start to run.
      • When the tool opens click Yes to disclaimer.
      • Press Scan button.
      • When finished scanning it will make a log FRST.txt on the flash drive.
  • Next
    • Type Explorer.exe;Services.exe into the Search: field in FRST then click the Search File(s) button.
    • FRST will search your computer for files and when finished it will produce a log Search.txt on the flash drive.
    • Exit FRST.
  • Close the command window.
  • Boot back into normal mode and post me the FRST.txt and Search.txt logs please.